1*699cd480SApple OSS Distributions /* 2*699cd480SApple OSS Distributions * Copyright (c) 2013-2019, 2022 Apple Inc. All rights reserved. 3*699cd480SApple OSS Distributions * 4*699cd480SApple OSS Distributions * @APPLE_LICENSE_HEADER_START@ 5*699cd480SApple OSS Distributions * 6*699cd480SApple OSS Distributions * This file contains Original Code and/or Modifications of Original Code 7*699cd480SApple OSS Distributions * as defined in and that are subject to the Apple Public Source License 8*699cd480SApple OSS Distributions * Version 2.0 (the 'License'). You may not use this file except in 9*699cd480SApple OSS Distributions * compliance with the License. Please obtain a copy of the License at 10*699cd480SApple OSS Distributions * http://www.opensource.apple.com/apsl/ and read it before using this 11*699cd480SApple OSS Distributions * file. 12*699cd480SApple OSS Distributions * 13*699cd480SApple OSS Distributions * The Original Code and all software distributed under the License are 14*699cd480SApple OSS Distributions * distributed on an 'AS IS' basis, WITHOUT WARRANTY OF ANY KIND, EITHER 15*699cd480SApple OSS Distributions * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, 16*699cd480SApple OSS Distributions * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, 17*699cd480SApple OSS Distributions * FITNESS FOR A PARTICULAR PURPOSE, QUIET ENJOYMENT OR NON-INFRINGEMENT. 18*699cd480SApple OSS Distributions * Please see the License for the specific language governing rights and 19*699cd480SApple OSS Distributions * limitations under the License. 20*699cd480SApple OSS Distributions * 21*699cd480SApple OSS Distributions * @APPLE_LICENSE_HEADER_END@ 22*699cd480SApple OSS Distributions */ 23*699cd480SApple OSS Distributions 24*699cd480SApple OSS Distributions #ifndef __CONTENT_FILTER_H__ 25*699cd480SApple OSS Distributions #define __CONTENT_FILTER_H__ 26*699cd480SApple OSS Distributions 27*699cd480SApple OSS Distributions #include <sys/param.h> 28*699cd480SApple OSS Distributions #include <sys/types.h> 29*699cd480SApple OSS Distributions #include <sys/_types/_timeval64.h> 30*699cd480SApple OSS Distributions #include <sys/socket.h> 31*699cd480SApple OSS Distributions #include <sys/syslog.h> 32*699cd480SApple OSS Distributions #include <netinet/in.h> 33*699cd480SApple OSS Distributions #include <stdint.h> 34*699cd480SApple OSS Distributions #include <corecrypto/ccsha2.h> 35*699cd480SApple OSS Distributions 36*699cd480SApple OSS Distributions #ifdef BSD_KERNEL_PRIVATE 37*699cd480SApple OSS Distributions #include <sys/mbuf.h> 38*699cd480SApple OSS Distributions #include <sys/socketvar.h> 39*699cd480SApple OSS Distributions #endif /* BSD_KERNEL_PRIVATE */ 40*699cd480SApple OSS Distributions 41*699cd480SApple OSS Distributions #ifndef XNU_KERNEL_PRIVATE 42*699cd480SApple OSS Distributions #include <TargetConditionals.h> 43*699cd480SApple OSS Distributions #endif 44*699cd480SApple OSS Distributions 45*699cd480SApple OSS Distributions __BEGIN_DECLS 46*699cd480SApple OSS Distributions 47*699cd480SApple OSS Distributions #ifdef PRIVATE 48*699cd480SApple OSS Distributions 49*699cd480SApple OSS Distributions /* 50*699cd480SApple OSS Distributions * Kernel control name for an instance of a Content Filter 51*699cd480SApple OSS Distributions * Use CTLIOCGINFO to find out the corresponding kernel control id 52*699cd480SApple OSS Distributions * to be set in the sc_id field of sockaddr_ctl for connect(2) 53*699cd480SApple OSS Distributions * Note: the sc_unit is ephemeral 54*699cd480SApple OSS Distributions */ 55*699cd480SApple OSS Distributions #define CONTENT_FILTER_CONTROL_NAME "com.apple.content-filter" 56*699cd480SApple OSS Distributions 57*699cd480SApple OSS Distributions /* 58*699cd480SApple OSS Distributions * Opaque socket identifier 59*699cd480SApple OSS Distributions */ 60*699cd480SApple OSS Distributions typedef uint64_t cfil_sock_id_t; 61*699cd480SApple OSS Distributions 62*699cd480SApple OSS Distributions #define CFIL_SOCK_ID_NONE UINT64_MAX 63*699cd480SApple OSS Distributions 64*699cd480SApple OSS Distributions 65*699cd480SApple OSS Distributions /* 66*699cd480SApple OSS Distributions * CFIL_OPT_NECP_CONTROL_UNIT 67*699cd480SApple OSS Distributions * To set or get the NECP filter control unit for the kernel control socket 68*699cd480SApple OSS Distributions * The option level is SYSPROTO_CONTROL 69*699cd480SApple OSS Distributions */ 70*699cd480SApple OSS Distributions #define CFIL_OPT_NECP_CONTROL_UNIT 1 /* uint32_t */ 71*699cd480SApple OSS Distributions 72*699cd480SApple OSS Distributions /* 73*699cd480SApple OSS Distributions * CFIL_OPT_GET_SOCKET_INFO 74*699cd480SApple OSS Distributions * To get information about a given socket that is being filtered. 75*699cd480SApple OSS Distributions */ 76*699cd480SApple OSS Distributions #define CFIL_OPT_GET_SOCKET_INFO 2 /* uint32_t */ 77*699cd480SApple OSS Distributions 78*699cd480SApple OSS Distributions /* 79*699cd480SApple OSS Distributions * CFIL_OPT_PRESERVE_CONNECTIONS 80*699cd480SApple OSS Distributions * To set or get the preserve-connections setting for the filter 81*699cd480SApple OSS Distributions */ 82*699cd480SApple OSS Distributions #define CFIL_OPT_PRESERVE_CONNECTIONS 3 /* uint32_t */ 83*699cd480SApple OSS Distributions 84*699cd480SApple OSS Distributions /* 85*699cd480SApple OSS Distributions * struct cfil_opt_sock_info 86*699cd480SApple OSS Distributions * 87*699cd480SApple OSS Distributions * Contains information about a socket that is being filtered. 88*699cd480SApple OSS Distributions */ 89*699cd480SApple OSS Distributions struct cfil_opt_sock_info { 90*699cd480SApple OSS Distributions cfil_sock_id_t cfs_sock_id; 91*699cd480SApple OSS Distributions int cfs_sock_family; /* e.g. PF_INET */ 92*699cd480SApple OSS Distributions int cfs_sock_type; /* e.g. SOCK_STREAM */ 93*699cd480SApple OSS Distributions int cfs_sock_protocol; /* e.g. IPPROTO_TCP */ 94*699cd480SApple OSS Distributions union sockaddr_in_4_6 cfs_local; 95*699cd480SApple OSS Distributions union sockaddr_in_4_6 cfs_remote; 96*699cd480SApple OSS Distributions pid_t cfs_pid; 97*699cd480SApple OSS Distributions pid_t cfs_e_pid; 98*699cd480SApple OSS Distributions uuid_t cfs_uuid; 99*699cd480SApple OSS Distributions uuid_t cfs_e_uuid; 100*699cd480SApple OSS Distributions }; 101*699cd480SApple OSS Distributions 102*699cd480SApple OSS Distributions /* 103*699cd480SApple OSS Distributions * How many filter may be active simultaneously 104*699cd480SApple OSS Distributions */ 105*699cd480SApple OSS Distributions 106*699cd480SApple OSS Distributions #define CFIL_MAX_FILTER_COUNT 8 107*699cd480SApple OSS Distributions 108*699cd480SApple OSS Distributions /* 109*699cd480SApple OSS Distributions * Crypto Support 110*699cd480SApple OSS Distributions */ 111*699cd480SApple OSS Distributions #define CFIL_CRYPTO 1 112*699cd480SApple OSS Distributions #define CFIL_CRYPTO_SIGNATURE_SIZE 32 113*699cd480SApple OSS Distributions #define CFIL_CRYPTO_DATA_EVENT 1 114*699cd480SApple OSS Distributions 115*699cd480SApple OSS Distributions typedef uint8_t cfil_crypto_key[CCSHA256_OUTPUT_SIZE]; 116*699cd480SApple OSS Distributions typedef uint8_t cfil_crypto_signature[CFIL_CRYPTO_SIGNATURE_SIZE]; 117*699cd480SApple OSS Distributions 118*699cd480SApple OSS Distributions typedef struct cfil_crypto_state { 119*699cd480SApple OSS Distributions const struct ccdigest_info *digest_info; 120*699cd480SApple OSS Distributions cfil_crypto_key key; 121*699cd480SApple OSS Distributions } *cfil_crypto_state_t; 122*699cd480SApple OSS Distributions 123*699cd480SApple OSS Distributions typedef struct cfil_crypto_data { 124*699cd480SApple OSS Distributions uuid_t flow_id; 125*699cd480SApple OSS Distributions u_int64_t sock_id; 126*699cd480SApple OSS Distributions u_int32_t direction; 127*699cd480SApple OSS Distributions union sockaddr_in_4_6 remote; 128*699cd480SApple OSS Distributions union sockaddr_in_4_6 local; 129*699cd480SApple OSS Distributions u_int32_t socketProtocol; 130*699cd480SApple OSS Distributions pid_t pid; 131*699cd480SApple OSS Distributions pid_t effective_pid; 132*699cd480SApple OSS Distributions uuid_t uuid; 133*699cd480SApple OSS Distributions uuid_t effective_uuid; 134*699cd480SApple OSS Distributions u_int64_t byte_count_in; 135*699cd480SApple OSS Distributions u_int64_t byte_count_out; 136*699cd480SApple OSS Distributions } *cfil_crypto_data_t; 137*699cd480SApple OSS Distributions 138*699cd480SApple OSS Distributions /* 139*699cd480SApple OSS Distributions * Types of messages 140*699cd480SApple OSS Distributions * 141*699cd480SApple OSS Distributions * Event messages flow from kernel to user space while action 142*699cd480SApple OSS Distributions * messages flow in the reverse direction. 143*699cd480SApple OSS Distributions * A message in entirely represented by a packet sent or received 144*699cd480SApple OSS Distributions * on a Content Filter kernel control socket. 145*699cd480SApple OSS Distributions */ 146*699cd480SApple OSS Distributions #define CFM_TYPE_EVENT 1 /* message from kernel */ 147*699cd480SApple OSS Distributions #define CFM_TYPE_ACTION 2 /* message to kernel */ 148*699cd480SApple OSS Distributions 149*699cd480SApple OSS Distributions /* 150*699cd480SApple OSS Distributions * Operations associated with events from kernel 151*699cd480SApple OSS Distributions */ 152*699cd480SApple OSS Distributions #define CFM_OP_SOCKET_ATTACHED 1 /* a socket has been attached */ 153*699cd480SApple OSS Distributions #define CFM_OP_SOCKET_CLOSED 2 /* a socket is being closed */ 154*699cd480SApple OSS Distributions #define CFM_OP_DATA_OUT 3 /* data being sent */ 155*699cd480SApple OSS Distributions #define CFM_OP_DATA_IN 4 /* data being received */ 156*699cd480SApple OSS Distributions #define CFM_OP_DISCONNECT_OUT 5 /* no more outgoing data */ 157*699cd480SApple OSS Distributions #define CFM_OP_DISCONNECT_IN 6 /* no more incoming data */ 158*699cd480SApple OSS Distributions #define CFM_OP_STATS 7 /* periodic stats report(s) */ 159*699cd480SApple OSS Distributions 160*699cd480SApple OSS Distributions /* 161*699cd480SApple OSS Distributions * Operations associated with action from filter to kernel 162*699cd480SApple OSS Distributions */ 163*699cd480SApple OSS Distributions #define CFM_OP_DATA_UPDATE 16 /* update pass or peek offsets */ 164*699cd480SApple OSS Distributions #define CFM_OP_DROP 17 /* shutdown socket, no more data */ 165*699cd480SApple OSS Distributions #define CFM_OP_BLESS_CLIENT 18 /* mark a client flow as already filtered, passes a uuid */ 166*699cd480SApple OSS Distributions #define CFM_OP_SET_CRYPTO_KEY 19 /* assign client crypto key for message signing */ 167*699cd480SApple OSS Distributions 168*699cd480SApple OSS Distributions /* 169*699cd480SApple OSS Distributions * struct cfil_msg_hdr 170*699cd480SApple OSS Distributions * 171*699cd480SApple OSS Distributions * Header common to all messages 172*699cd480SApple OSS Distributions */ 173*699cd480SApple OSS Distributions struct cfil_msg_hdr { 174*699cd480SApple OSS Distributions uint32_t cfm_len; /* total length */ 175*699cd480SApple OSS Distributions uint32_t cfm_version; 176*699cd480SApple OSS Distributions uint32_t cfm_type; 177*699cd480SApple OSS Distributions uint32_t cfm_op; 178*699cd480SApple OSS Distributions cfil_sock_id_t cfm_sock_id; 179*699cd480SApple OSS Distributions }; 180*699cd480SApple OSS Distributions 181*699cd480SApple OSS Distributions #define CFM_VERSION_CURRENT 1 182*699cd480SApple OSS Distributions 183*699cd480SApple OSS Distributions /* 184*699cd480SApple OSS Distributions * Connection Direction 185*699cd480SApple OSS Distributions */ 186*699cd480SApple OSS Distributions #define CFS_CONNECTION_DIR_IN 0 187*699cd480SApple OSS Distributions #define CFS_CONNECTION_DIR_OUT 1 188*699cd480SApple OSS Distributions 189*699cd480SApple OSS Distributions #define CFS_REAL_AUDIT_TOKEN 1 190*699cd480SApple OSS Distributions 191*699cd480SApple OSS Distributions #define CFS_MAX_DOMAIN_NAME_LENGTH 256 192*699cd480SApple OSS Distributions 193*699cd480SApple OSS Distributions 194*699cd480SApple OSS Distributions /* 195*699cd480SApple OSS Distributions * struct cfil_msg_sock_attached 196*699cd480SApple OSS Distributions * 197*699cd480SApple OSS Distributions * Information about a new socket being attached to the content filter 198*699cd480SApple OSS Distributions * 199*699cd480SApple OSS Distributions * Action: No reply is expected as this does not block the creation of the 200*699cd480SApple OSS Distributions * TCP/IP but timely action must be taken to avoid user noticeable delays. 201*699cd480SApple OSS Distributions * 202*699cd480SApple OSS Distributions * Valid Types: CFM_TYPE_EVENT 203*699cd480SApple OSS Distributions * 204*699cd480SApple OSS Distributions * Valid Op: CFM_OP_SOCKET_ATTACHED 205*699cd480SApple OSS Distributions */ 206*699cd480SApple OSS Distributions struct cfil_msg_sock_attached { 207*699cd480SApple OSS Distributions struct cfil_msg_hdr cfs_msghdr; 208*699cd480SApple OSS Distributions int cfs_sock_family; /* e.g. PF_INET */ 209*699cd480SApple OSS Distributions int cfs_sock_type; /* e.g. SOCK_STREAM */ 210*699cd480SApple OSS Distributions int cfs_sock_protocol; /* e.g. IPPROTO_TCP */ 211*699cd480SApple OSS Distributions int cfs_unused; /* padding */ 212*699cd480SApple OSS Distributions pid_t cfs_pid; 213*699cd480SApple OSS Distributions pid_t cfs_e_pid; 214*699cd480SApple OSS Distributions uuid_t cfs_uuid; 215*699cd480SApple OSS Distributions uuid_t cfs_e_uuid; 216*699cd480SApple OSS Distributions union sockaddr_in_4_6 cfs_src; 217*699cd480SApple OSS Distributions union sockaddr_in_4_6 cfs_dst; 218*699cd480SApple OSS Distributions int cfs_conn_dir; 219*699cd480SApple OSS Distributions unsigned int cfs_audit_token[8]; /* Must match audit_token_t */ 220*699cd480SApple OSS Distributions unsigned int cfs_real_audit_token[8]; /* Must match audit_token_t */ 221*699cd480SApple OSS Distributions cfil_crypto_signature cfs_signature; 222*699cd480SApple OSS Distributions uint32_t cfs_signature_length; 223*699cd480SApple OSS Distributions char cfs_remote_domain_name[CFS_MAX_DOMAIN_NAME_LENGTH]; 224*699cd480SApple OSS Distributions }; 225*699cd480SApple OSS Distributions 226*699cd480SApple OSS Distributions /* 227*699cd480SApple OSS Distributions * CFIL data flags 228*699cd480SApple OSS Distributions */ 229*699cd480SApple OSS Distributions #define CFD_DATA_FLAG_IP_HEADER 0x00000001 /* Data includes IP header */ 230*699cd480SApple OSS Distributions 231*699cd480SApple OSS Distributions /* 232*699cd480SApple OSS Distributions * struct cfil_msg_data_event 233*699cd480SApple OSS Distributions * 234*699cd480SApple OSS Distributions * Event for the content fiter to act on a span of data 235*699cd480SApple OSS Distributions * A data span is described by a pair of offsets over the cumulative 236*699cd480SApple OSS Distributions * number of bytes sent or received on the socket. 237*699cd480SApple OSS Distributions * 238*699cd480SApple OSS Distributions * Action: The event must be acted upon but the filter may buffer 239*699cd480SApple OSS Distributions * data spans until it has enough content to make a decision. 240*699cd480SApple OSS Distributions * The action must be timely to avoid user noticeable delays. 241*699cd480SApple OSS Distributions * 242*699cd480SApple OSS Distributions * Valid Type: CFM_TYPE_EVENT 243*699cd480SApple OSS Distributions * 244*699cd480SApple OSS Distributions * Valid Ops: CFM_OP_DATA_OUT, CFM_OP_DATA_IN 245*699cd480SApple OSS Distributions */ 246*699cd480SApple OSS Distributions struct cfil_msg_data_event { 247*699cd480SApple OSS Distributions struct cfil_msg_hdr cfd_msghdr; 248*699cd480SApple OSS Distributions union sockaddr_in_4_6 cfc_src; 249*699cd480SApple OSS Distributions union sockaddr_in_4_6 cfc_dst; 250*699cd480SApple OSS Distributions uint64_t cfd_start_offset; 251*699cd480SApple OSS Distributions uint64_t cfd_end_offset; 252*699cd480SApple OSS Distributions cfil_crypto_signature cfd_signature; 253*699cd480SApple OSS Distributions uint32_t cfd_signature_length; 254*699cd480SApple OSS Distributions uint32_t cfd_flags; 255*699cd480SApple OSS Distributions /* Actual content data immediatly follows */ 256*699cd480SApple OSS Distributions }; 257*699cd480SApple OSS Distributions 258*699cd480SApple OSS Distributions #define CFI_MAX_TIME_LOG_ENTRY 6 259*699cd480SApple OSS Distributions /* 260*699cd480SApple OSS Distributions * struct cfil_msg_sock_closed 261*699cd480SApple OSS Distributions * 262*699cd480SApple OSS Distributions * Information about a socket being closed to the content filter 263*699cd480SApple OSS Distributions * 264*699cd480SApple OSS Distributions * Action: No reply is expected as this does not block the closing of the 265*699cd480SApple OSS Distributions * TCP/IP. 266*699cd480SApple OSS Distributions * 267*699cd480SApple OSS Distributions * Valid Types: CFM_TYPE_EVENT 268*699cd480SApple OSS Distributions * 269*699cd480SApple OSS Distributions * Valid Op: CFM_OP_SOCKET_CLOSED 270*699cd480SApple OSS Distributions */ 271*699cd480SApple OSS Distributions struct cfil_msg_sock_closed { 272*699cd480SApple OSS Distributions struct cfil_msg_hdr cfc_msghdr; 273*699cd480SApple OSS Distributions struct timeval64 cfc_first_event; 274*699cd480SApple OSS Distributions uint32_t cfc_op_list_ctr; 275*699cd480SApple OSS Distributions uint32_t cfc_op_time[CFI_MAX_TIME_LOG_ENTRY]; /* time interval in microseconds since first event */ 276*699cd480SApple OSS Distributions unsigned char cfc_op_list[CFI_MAX_TIME_LOG_ENTRY]; 277*699cd480SApple OSS Distributions uint64_t cfc_byte_inbound_count; 278*699cd480SApple OSS Distributions uint64_t cfc_byte_outbound_count; 279*699cd480SApple OSS Distributions #define CFC_CLOSED_EVENT_LADDR 1 280*699cd480SApple OSS Distributions union sockaddr_in_4_6 cfc_laddr; 281*699cd480SApple OSS Distributions cfil_crypto_signature cfc_signature; 282*699cd480SApple OSS Distributions uint32_t cfc_signature_length; 283*699cd480SApple OSS Distributions } __attribute__((aligned(8))); 284*699cd480SApple OSS Distributions 285*699cd480SApple OSS Distributions /* 286*699cd480SApple OSS Distributions * struct cfil_msg_stats_report 287*699cd480SApple OSS Distributions * 288*699cd480SApple OSS Distributions * Statistics report for flow(s). 289*699cd480SApple OSS Distributions * 290*699cd480SApple OSS Distributions * Action: No reply is expected. 291*699cd480SApple OSS Distributions * 292*699cd480SApple OSS Distributions * Valid Types: CFM_TYPE_EVENT 293*699cd480SApple OSS Distributions * 294*699cd480SApple OSS Distributions * Valid Op: CFM_OP_STATS 295*699cd480SApple OSS Distributions */ 296*699cd480SApple OSS Distributions struct cfil_msg_sock_stats { 297*699cd480SApple OSS Distributions cfil_sock_id_t cfs_sock_id; 298*699cd480SApple OSS Distributions uint64_t cfs_byte_inbound_count; 299*699cd480SApple OSS Distributions uint64_t cfs_byte_outbound_count; 300*699cd480SApple OSS Distributions union sockaddr_in_4_6 cfs_laddr; 301*699cd480SApple OSS Distributions } __attribute__((aligned(8))); 302*699cd480SApple OSS Distributions 303*699cd480SApple OSS Distributions struct cfil_msg_stats_report { 304*699cd480SApple OSS Distributions struct cfil_msg_hdr cfr_msghdr; 305*699cd480SApple OSS Distributions uint32_t cfr_count; 306*699cd480SApple OSS Distributions struct cfil_msg_sock_stats cfr_stats[]; 307*699cd480SApple OSS Distributions } __attribute__((aligned(8))); 308*699cd480SApple OSS Distributions 309*699cd480SApple OSS Distributions /* 310*699cd480SApple OSS Distributions * struct cfil_msg_action 311*699cd480SApple OSS Distributions * 312*699cd480SApple OSS Distributions * Valid Type: CFM_TYPE_ACTION 313*699cd480SApple OSS Distributions * 314*699cd480SApple OSS Distributions * Valid Ops: CFM_OP_DATA_UPDATE, CFM_OP_DROP 315*699cd480SApple OSS Distributions * 316*699cd480SApple OSS Distributions * For CFM_OP_DATA_UPDATE: 317*699cd480SApple OSS Distributions * 318*699cd480SApple OSS Distributions * cfa_in_pass_offset and cfa_out_pass_offset indicates how much data is 319*699cd480SApple OSS Distributions * allowed to pass. A zero value does not modify the corresponding pass offset. 320*699cd480SApple OSS Distributions * 321*699cd480SApple OSS Distributions * cfa_in_peek_offset and cfa_out_peek_offset lets the filter specify how much 322*699cd480SApple OSS Distributions * data it needs to make a decision: the kernel will deliver data up to that 323*699cd480SApple OSS Distributions * offset (if less than cfa_pass_offset it is ignored). Use CFM_MAX_OFFSET 324*699cd480SApple OSS Distributions * if you don't value the corresponding peek offset to be updated. 325*699cd480SApple OSS Distributions */ 326*699cd480SApple OSS Distributions struct cfil_msg_action { 327*699cd480SApple OSS Distributions struct cfil_msg_hdr cfa_msghdr; 328*699cd480SApple OSS Distributions uint64_t cfa_in_pass_offset; 329*699cd480SApple OSS Distributions uint64_t cfa_in_peek_offset; 330*699cd480SApple OSS Distributions uint64_t cfa_out_pass_offset; 331*699cd480SApple OSS Distributions uint64_t cfa_out_peek_offset; 332*699cd480SApple OSS Distributions uint32_t cfa_stats_frequency; // Statistics frequency in milliseconds 333*699cd480SApple OSS Distributions }; 334*699cd480SApple OSS Distributions 335*699cd480SApple OSS Distributions /* 336*699cd480SApple OSS Distributions * struct cfil_msg_bless_client 337*699cd480SApple OSS Distributions * 338*699cd480SApple OSS Distributions * Marks a client UUID as already filtered at a higher level. 339*699cd480SApple OSS Distributions * 340*699cd480SApple OSS Distributions * Valid Type: CFM_TYPE_ACTION 341*699cd480SApple OSS Distributions * 342*699cd480SApple OSS Distributions * Valid Ops: CFM_OP_BLESS_CLIENT 343*699cd480SApple OSS Distributions */ 344*699cd480SApple OSS Distributions struct cfil_msg_bless_client { 345*699cd480SApple OSS Distributions struct cfil_msg_hdr cfb_msghdr; 346*699cd480SApple OSS Distributions uuid_t cfb_client_uuid; 347*699cd480SApple OSS Distributions }; 348*699cd480SApple OSS Distributions 349*699cd480SApple OSS Distributions /* 350*699cd480SApple OSS Distributions * struct cfil_msg_set_crypto_key 351*699cd480SApple OSS Distributions * 352*699cd480SApple OSS Distributions * Filter assigning client crypto key to CFIL for message signing 353*699cd480SApple OSS Distributions * 354*699cd480SApple OSS Distributions * Valid Type: CFM_TYPE_ACTION 355*699cd480SApple OSS Distributions * 356*699cd480SApple OSS Distributions * Valid Ops: CFM_OP_SET_CRYPTO_KEY 357*699cd480SApple OSS Distributions */ 358*699cd480SApple OSS Distributions struct cfil_msg_set_crypto_key { 359*699cd480SApple OSS Distributions struct cfil_msg_hdr cfb_msghdr; 360*699cd480SApple OSS Distributions cfil_crypto_key crypto_key; 361*699cd480SApple OSS Distributions }; 362*699cd480SApple OSS Distributions 363*699cd480SApple OSS Distributions #define CFM_MAX_OFFSET UINT64_MAX 364*699cd480SApple OSS Distributions 365*699cd480SApple OSS Distributions /* 366*699cd480SApple OSS Distributions * Statistics retrieved via sysctl(3) 367*699cd480SApple OSS Distributions */ 368*699cd480SApple OSS Distributions struct cfil_filter_stat { 369*699cd480SApple OSS Distributions uint32_t cfs_len; 370*699cd480SApple OSS Distributions uint32_t cfs_filter_id; 371*699cd480SApple OSS Distributions uint32_t cfs_flags; 372*699cd480SApple OSS Distributions uint32_t cfs_sock_count; 373*699cd480SApple OSS Distributions uint32_t cfs_necp_control_unit; 374*699cd480SApple OSS Distributions }; 375*699cd480SApple OSS Distributions 376*699cd480SApple OSS Distributions struct cfil_entry_stat { 377*699cd480SApple OSS Distributions uint32_t ces_len; 378*699cd480SApple OSS Distributions uint32_t ces_filter_id; 379*699cd480SApple OSS Distributions uint32_t ces_flags; 380*699cd480SApple OSS Distributions uint32_t ces_necp_control_unit; 381*699cd480SApple OSS Distributions struct timeval64 ces_last_event; 382*699cd480SApple OSS Distributions struct timeval64 ces_last_action; 383*699cd480SApple OSS Distributions struct cfe_buf_stat { 384*699cd480SApple OSS Distributions uint64_t cbs_pending_first; 385*699cd480SApple OSS Distributions uint64_t cbs_pending_last; 386*699cd480SApple OSS Distributions uint64_t cbs_ctl_first; 387*699cd480SApple OSS Distributions uint64_t cbs_ctl_last; 388*699cd480SApple OSS Distributions uint64_t cbs_pass_offset; 389*699cd480SApple OSS Distributions uint64_t cbs_peek_offset; 390*699cd480SApple OSS Distributions uint64_t cbs_peeked; 391*699cd480SApple OSS Distributions } ces_snd, ces_rcv; 392*699cd480SApple OSS Distributions }; 393*699cd480SApple OSS Distributions 394*699cd480SApple OSS Distributions struct cfil_sock_stat { 395*699cd480SApple OSS Distributions uint32_t cfs_len; 396*699cd480SApple OSS Distributions int cfs_sock_family; 397*699cd480SApple OSS Distributions int cfs_sock_type; 398*699cd480SApple OSS Distributions int cfs_sock_protocol; 399*699cd480SApple OSS Distributions cfil_sock_id_t cfs_sock_id; 400*699cd480SApple OSS Distributions uint64_t cfs_flags; 401*699cd480SApple OSS Distributions pid_t cfs_pid; 402*699cd480SApple OSS Distributions pid_t cfs_e_pid; 403*699cd480SApple OSS Distributions uuid_t cfs_uuid; 404*699cd480SApple OSS Distributions uuid_t cfs_e_uuid; 405*699cd480SApple OSS Distributions struct cfi_buf_stat { 406*699cd480SApple OSS Distributions uint64_t cbs_pending_first; 407*699cd480SApple OSS Distributions uint64_t cbs_pending_last; 408*699cd480SApple OSS Distributions uint64_t cbs_pass_offset; 409*699cd480SApple OSS Distributions uint64_t cbs_inject_q_len; 410*699cd480SApple OSS Distributions } cfs_snd, cfs_rcv; 411*699cd480SApple OSS Distributions struct cfil_entry_stat ces_entries[CFIL_MAX_FILTER_COUNT]; 412*699cd480SApple OSS Distributions }; 413*699cd480SApple OSS Distributions 414*699cd480SApple OSS Distributions /* 415*699cd480SApple OSS Distributions * Global statistics 416*699cd480SApple OSS Distributions */ 417*699cd480SApple OSS Distributions struct cfil_stats { 418*699cd480SApple OSS Distributions int32_t cfs_ctl_connect_ok; 419*699cd480SApple OSS Distributions int32_t cfs_ctl_connect_fail; 420*699cd480SApple OSS Distributions int32_t cfs_ctl_disconnect_ok; 421*699cd480SApple OSS Distributions int32_t cfs_ctl_disconnect_fail; 422*699cd480SApple OSS Distributions int32_t cfs_ctl_send_ok; 423*699cd480SApple OSS Distributions int32_t cfs_ctl_send_bad; 424*699cd480SApple OSS Distributions int32_t cfs_ctl_rcvd_ok; 425*699cd480SApple OSS Distributions int32_t cfs_ctl_rcvd_bad; 426*699cd480SApple OSS Distributions int32_t cfs_ctl_rcvd_flow_lift; 427*699cd480SApple OSS Distributions int32_t cfs_ctl_action_data_update; 428*699cd480SApple OSS Distributions int32_t cfs_ctl_action_drop; 429*699cd480SApple OSS Distributions int32_t cfs_ctl_action_bad_op; 430*699cd480SApple OSS Distributions int32_t cfs_ctl_action_bad_len; 431*699cd480SApple OSS Distributions 432*699cd480SApple OSS Distributions int32_t cfs_sock_id_not_found; 433*699cd480SApple OSS Distributions 434*699cd480SApple OSS Distributions int32_t cfs_cfi_alloc_ok; 435*699cd480SApple OSS Distributions int32_t cfs_cfi_alloc_fail; 436*699cd480SApple OSS Distributions 437*699cd480SApple OSS Distributions int32_t cfs_sock_userspace_only; 438*699cd480SApple OSS Distributions int32_t cfs_sock_attach_in_vain; 439*699cd480SApple OSS Distributions int32_t cfs_sock_attach_already; 440*699cd480SApple OSS Distributions int32_t cfs_sock_attach_no_mem; 441*699cd480SApple OSS Distributions int32_t cfs_sock_attach_failed; 442*699cd480SApple OSS Distributions int32_t cfs_sock_attached; 443*699cd480SApple OSS Distributions int32_t cfs_sock_detached; 444*699cd480SApple OSS Distributions 445*699cd480SApple OSS Distributions int32_t cfs_attach_event_ok; 446*699cd480SApple OSS Distributions int32_t cfs_attach_event_flow_control; 447*699cd480SApple OSS Distributions int32_t cfs_attach_event_fail; 448*699cd480SApple OSS Distributions 449*699cd480SApple OSS Distributions int32_t cfs_closed_event_ok; 450*699cd480SApple OSS Distributions int32_t cfs_closed_event_flow_control; 451*699cd480SApple OSS Distributions int32_t cfs_closed_event_fail; 452*699cd480SApple OSS Distributions 453*699cd480SApple OSS Distributions int32_t cfs_data_event_ok; 454*699cd480SApple OSS Distributions int32_t cfs_data_event_flow_control; 455*699cd480SApple OSS Distributions int32_t cfs_data_event_fail; 456*699cd480SApple OSS Distributions 457*699cd480SApple OSS Distributions int32_t cfs_stats_event_ok; 458*699cd480SApple OSS Distributions int32_t cfs_stats_event_flow_control; 459*699cd480SApple OSS Distributions int32_t cfs_stats_event_fail; 460*699cd480SApple OSS Distributions 461*699cd480SApple OSS Distributions int32_t cfs_disconnect_in_event_ok; 462*699cd480SApple OSS Distributions int32_t cfs_disconnect_out_event_ok; 463*699cd480SApple OSS Distributions int32_t cfs_disconnect_event_flow_control; 464*699cd480SApple OSS Distributions int32_t cfs_disconnect_event_fail; 465*699cd480SApple OSS Distributions 466*699cd480SApple OSS Distributions int32_t cfs_ctl_q_not_started; 467*699cd480SApple OSS Distributions 468*699cd480SApple OSS Distributions int32_t cfs_close_wait; 469*699cd480SApple OSS Distributions int32_t cfs_close_wait_timeout; 470*699cd480SApple OSS Distributions 471*699cd480SApple OSS Distributions int32_t cfs_flush_in_drop; 472*699cd480SApple OSS Distributions int32_t cfs_flush_out_drop; 473*699cd480SApple OSS Distributions int32_t cfs_flush_in_close; 474*699cd480SApple OSS Distributions int32_t cfs_flush_out_close; 475*699cd480SApple OSS Distributions int32_t cfs_flush_in_free; 476*699cd480SApple OSS Distributions int32_t cfs_flush_out_free; 477*699cd480SApple OSS Distributions 478*699cd480SApple OSS Distributions int32_t cfs_inject_q_nomem; 479*699cd480SApple OSS Distributions int32_t cfs_inject_q_nobufs; 480*699cd480SApple OSS Distributions int32_t cfs_inject_q_detached; 481*699cd480SApple OSS Distributions int32_t cfs_inject_q_in_fail; 482*699cd480SApple OSS Distributions int32_t cfs_inject_q_out_fail; 483*699cd480SApple OSS Distributions 484*699cd480SApple OSS Distributions int32_t cfs_inject_q_in_retry; 485*699cd480SApple OSS Distributions int32_t cfs_inject_q_out_retry; 486*699cd480SApple OSS Distributions 487*699cd480SApple OSS Distributions int32_t cfs_data_in_control; 488*699cd480SApple OSS Distributions int32_t cfs_data_in_oob; 489*699cd480SApple OSS Distributions int32_t cfs_data_out_control; 490*699cd480SApple OSS Distributions int32_t cfs_data_out_oob; 491*699cd480SApple OSS Distributions 492*699cd480SApple OSS Distributions int64_t cfs_ctl_q_in_enqueued __attribute__((aligned(8))); 493*699cd480SApple OSS Distributions int64_t cfs_ctl_q_out_enqueued __attribute__((aligned(8))); 494*699cd480SApple OSS Distributions int64_t cfs_ctl_q_in_peeked __attribute__((aligned(8))); 495*699cd480SApple OSS Distributions int64_t cfs_ctl_q_out_peeked __attribute__((aligned(8))); 496*699cd480SApple OSS Distributions 497*699cd480SApple OSS Distributions int64_t cfs_pending_q_in_enqueued __attribute__((aligned(8))); 498*699cd480SApple OSS Distributions int64_t cfs_pending_q_out_enqueued __attribute__((aligned(8))); 499*699cd480SApple OSS Distributions 500*699cd480SApple OSS Distributions int64_t cfs_inject_q_in_enqueued __attribute__((aligned(8))); 501*699cd480SApple OSS Distributions int64_t cfs_inject_q_out_enqueued __attribute__((aligned(8))); 502*699cd480SApple OSS Distributions int64_t cfs_inject_q_in_passed __attribute__((aligned(8))); 503*699cd480SApple OSS Distributions int64_t cfs_inject_q_out_passed __attribute__((aligned(8))); 504*699cd480SApple OSS Distributions }; 505*699cd480SApple OSS Distributions #endif /* PRIVATE */ 506*699cd480SApple OSS Distributions 507*699cd480SApple OSS Distributions #ifdef BSD_KERNEL_PRIVATE 508*699cd480SApple OSS Distributions 509*699cd480SApple OSS Distributions #define M_SKIPCFIL M_PROTO5 510*699cd480SApple OSS Distributions 511*699cd480SApple OSS Distributions #define CFIL_DGRAM_FILTERED(so) ((so->so_flags & SOF_CONTENT_FILTER) && (so->so_flow_db != NULL)) 512*699cd480SApple OSS Distributions 513*699cd480SApple OSS Distributions extern int cfil_log_level; 514*699cd480SApple OSS Distributions 515*699cd480SApple OSS Distributions #define CFIL_LOG(level, fmt, ...) \ 516*699cd480SApple OSS Distributions do { \ 517*699cd480SApple OSS Distributions if (cfil_log_level >= level) \ 518*699cd480SApple OSS Distributions printf("%s:%d " fmt "\n",\ 519*699cd480SApple OSS Distributions __FUNCTION__, __LINE__, ##__VA_ARGS__); \ 520*699cd480SApple OSS Distributions } while (0) 521*699cd480SApple OSS Distributions 522*699cd480SApple OSS Distributions 523*699cd480SApple OSS Distributions extern void cfil_register_m_tag(void); 524*699cd480SApple OSS Distributions 525*699cd480SApple OSS Distributions extern void cfil_init(void); 526*699cd480SApple OSS Distributions 527*699cd480SApple OSS Distributions extern boolean_t cfil_filter_present(void); 528*699cd480SApple OSS Distributions extern boolean_t cfil_sock_connected_pending_verdict(struct socket *so); 529*699cd480SApple OSS Distributions extern boolean_t cfil_sock_is_dead(struct socket *so); 530*699cd480SApple OSS Distributions extern boolean_t cfil_sock_tcp_add_time_wait(struct socket *so); 531*699cd480SApple OSS Distributions extern errno_t cfil_sock_attach(struct socket *so, 532*699cd480SApple OSS Distributions struct sockaddr *local, struct sockaddr *remote, int dir); 533*699cd480SApple OSS Distributions extern errno_t cfil_sock_detach(struct socket *so); 534*699cd480SApple OSS Distributions 535*699cd480SApple OSS Distributions extern int cfil_sock_data_out(struct socket *so, struct sockaddr *to, 536*699cd480SApple OSS Distributions struct mbuf *data, struct mbuf *control, 537*699cd480SApple OSS Distributions uint32_t flags, struct soflow_hash_entry *); 538*699cd480SApple OSS Distributions extern int cfil_sock_data_in(struct socket *so, struct sockaddr *from, 539*699cd480SApple OSS Distributions struct mbuf *data, struct mbuf *control, 540*699cd480SApple OSS Distributions uint32_t flags, struct soflow_hash_entry *); 541*699cd480SApple OSS Distributions 542*699cd480SApple OSS Distributions extern int cfil_sock_shutdown(struct socket *so, int *how); 543*699cd480SApple OSS Distributions extern void cfil_sock_is_closed(struct socket *so); 544*699cd480SApple OSS Distributions extern void cfil_sock_notify_shutdown(struct socket *so, int how); 545*699cd480SApple OSS Distributions extern void cfil_sock_close_wait(struct socket *so); 546*699cd480SApple OSS Distributions 547*699cd480SApple OSS Distributions extern boolean_t cfil_sock_data_pending(struct sockbuf *sb); 548*699cd480SApple OSS Distributions extern int cfil_sock_data_space(struct sockbuf *sb); 549*699cd480SApple OSS Distributions extern void cfil_sock_buf_update(struct sockbuf *sb); 550*699cd480SApple OSS Distributions 551*699cd480SApple OSS Distributions extern cfil_sock_id_t cfil_sock_id_from_socket(struct socket *so); 552*699cd480SApple OSS Distributions extern cfil_sock_id_t cfil_sock_id_from_datagram_socket(struct socket *so, struct sockaddr *local, struct sockaddr *remote); 553*699cd480SApple OSS Distributions 554*699cd480SApple OSS Distributions extern struct m_tag *cfil_dgram_get_socket_state(struct mbuf *m, uint32_t *state_change_cnt, 555*699cd480SApple OSS Distributions uint32_t *options, struct sockaddr **faddr, int *inp_flags); 556*699cd480SApple OSS Distributions extern boolean_t cfil_dgram_peek_socket_state(struct mbuf *m, int *inp_flags); 557*699cd480SApple OSS Distributions 558*699cd480SApple OSS Distributions #endif /* BSD_KERNEL_PRIVATE */ 559*699cd480SApple OSS Distributions 560*699cd480SApple OSS Distributions __END_DECLS 561*699cd480SApple OSS Distributions 562*699cd480SApple OSS Distributions #endif /* __CONTENT_FILTER_H__ */ 563